EU-US Safe Harbor Status

. Introduction

In light of the decision of October 15, 2015 invalidating the US/EU Safe Harbor (the “October Decision”), there is uncertainty surrounding compliance with EU Directive 95/46 (the “Directive”), which prohibits “the transfer of personal data to a third country which does not ensure an adequate level of protection.”  Although the United States Department of Commerce (“Commerce”) continues to issue Safe Harbor certificates, those certificates can no longer be relied upon.

Compliance with the Safe Harbor policies (discussed in Section II below) may indeed provide adequate protection under the Directive; however there is no longer an enforceable “safe harbor” predetermining the adequacy of those policies.  Alternative methods for compliance with the Directive are available, including the inclusion of standard contractual provisions (discussed below).  Nevertheless, U.S. entities exporting data from the EU should remain vigilant of any regulatory changes, which are likely to come in the coming months, in particular the proposed Privacy Shield which is currently under review by the individual member states.

II. The Decision by the European Court of Justice Invalidating the Safe Harbor Program

In October 2015, that Safe Harbor program, which had been in place since 2000, was declared invalid by the European Court of Justice (ECJ).[1]  Thus, companies previously relying on the Safe Harbor no longer have such comfort.  Further complicating matters is the fact that the ECJ, the European Commission, the regulatory bodies of each of the 28 member states, and the courts of the individual member states all have a hand in enforcing the regime or promulgating regulations — with sometimes contradictory interpretations.  A privacy regulator in a particular member state has the authority to impose a ban on certain data transfers and impose fines.  Furthermore, individual EU citizens are entitled to compensation for damages related to a breach of his or her privacy rights.

The EU prohibits the transfer of personal data to a recipient outside the EU unless the law of the recipient’s country (the “Third Country”) is deemed to provide “adequate protection.”  In 2000, the European Commission held that “the adequate level of protection for the transfer of data from the Community to the United States . . . should be attained if organisations comply with the safe harbour privacy principles.”[2] Generally, those principles are described by Commerce as follows (the “Safe Harbor Principles”):

• Notice:  “Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.”[3]
• Choice:  “Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.”  Id.
• Onward Transfer (Transfers to Third Parties):  “To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent, it may do so if it makes sure that the third party subscribes to the Safe Harbor Privacy Principles or is subject to the Directive or another adequacy finding. As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.”  Id.
• Access:  “Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.” Id.
• Security:  “Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.” Id.
• Data integrity:  “Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.” Id.
• Enforcement:  “In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual’s complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization. Organizations that fail to provide annual self-certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured.” Id.

III. Status of Safe Harbor

As noted above, according to Commerce, in light of the “rapidly changing environment,” Commerce will “continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework.”[4]  Thus, obtaining a certificate remains possible, although it is insufficient from an EU perspective, and other methods of EU compliance may be necessary.

Uncertainty is also heightened because, although the Safe Harbor was declared invalid, its underlying principles have not been officially declared insufficient as an “adequate level of protection” by any member state.  By way of background, following enactment of the Directive, a number of Third Countries were analyzed to determine whether they provided “adequate protection.”  With regard to the United States, a nuanced decision was made — the country was found not to provide adequate protection as a whole, but adequate protection could be attained if the Safe Harbor principles were followed.  Thus, although there is no longer a “safe harbor” (i.e., there is no agreement pre-determining that such measures are adequate, or that those in compliance will not be subject to enforcement action), the Safe Harbor principles have not specifically been found to be inadequate under EU law.

IV. Alternative Methods of Compliance, including ‘Standard Contractual Clauses’

a. The Exceptions

There are a number of exceptions to the requirement that a Third Country must provide adequate protection.  Transfers are permitted if a contract between the customer and the service provider requires the data transfer.  This exception, known as contract performance, only applies if the data transfer is necessary for performance, not merely convenient or more efficient.  Furthermore, when faced with a subpoena, or when request for voluntary compliance is issued by a governmental authority, data can be transferred irrespective of the adequate protection requirement.  Finally, personal data may be transferred irrespective of the adequate protection requirement with consent, although consent is often difficult to obtain and must be provided in writing with full disclosures of the data’s use.  Different privacy bodies in the EU states may have differing standards as to what constitutes valid consent.

b. Standard Contractual Clauses

The European Commission has written contractual clauses which, if included in a data transfer agreement precisely as written, can be the legal basis for a transfer of data.[5]  The Article 29 Working Party (which represents the privacy regulatory bodies of the 28 EU member states) stated that, in the wake of the ECJ judgment, “Standard Contractual Clauses . . . can still be used.”[6]

However, the use of these standard clauses as a method of complying with the Directive has been called into doubt by the regulatory bodies of some member states following the October Decision.  The German privacy regulator, for example, issued a position paper that called on data exporters to exercise certain rights under the standard clauses, which permit suspension of data transfers if applicable laws of a Third Country prevent compliance.  The UK data agency, by contrast, has held the opposite – that the standard contractual clauses remain a valid method of legal data transfer.

In any event, in order to use the standard contractual clauses, they must be incorporated verbatim in the relevant agreement.  The clauses include certain warranties and affirmative disclosure obligations that the data importer must be comfortable with.

If you have any questions about the information contained in this blog post, please do not hesitate to contact Michael K. Levin or Joshua B. Sessler.

[1] Maximillian Schrems v. Data Protection Commissioner, Case C-362/14, 2015 E.C.R. —, available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=168421&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=227527.

[2] 2000/520/EC: Commission Decision of 26 July 2000, Official Journal L 215 , 25/08/2000 P. 0007 – 0047, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML.

[3] Export.gov, U.S.-E.U. Safe Harbor Overview, available at https://build.export.gov/main/safeharbor/eu/eg_main_018476.

[4] Advisory, U.S. Commerce Dept., available at http://www.export.gov/safeharbor/.

[5] The standard contractual clauses are published by the European Commission and available at http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.

[6] Article 29 Data Protection Working Party, Statement on the implementation of the judgement of the Court of Justice of the European Union of 6 October 2015 in the Maximilian Schrems v Data Protection Commissioner case (C-362-14)” (Oct. 16, 2015), available at http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf.